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Abstract. The interest in post-quantum cryptography — classical sys- 
tems that remain secure in the presence of a quantum adversary — has 
generated elegant proposals for new cryptosystems. Some of these sys- 
' pH '■ terns are set in the random oracle model and are proven secure relative 

O • to adversaries that have classical access to the random oracle. We argue 

that to prove post-quantum security one needs to prove security in the 
quantum-accessible random oracle model where the adversary can query 
the random oracle with quantum states. 

We begin by separating the classical and quantum-accessible random or- 
acle models by presenting a scheme that is secure when the adversary 
is given classical access to the random oracle, but is insecure when the 
adversary can make quantum oracle queries. We then set out to develop 
generic conditions under which a classical random oracle proof implies 
security in the quantum- accessible random oracle model. We introduce 
the concept of a history-free reduction which is a category of classical 
random oracle reductions that basically determine oracle answers inde- 
pendently of the history of previous queries, and we prove that such 
reductions imply security in the quantum model. We then show that 
certain post-quantum proposals, including ones based on lattices, can 
be proven secure using history-free reductions and are therefore post- 
quantum secure. We conclude with a rich set of open problems in this 
area. 
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1 Introduction 



The threat to existing public-key systems posed by quantum computation |Sho97 
has generated considerable interest in post-quantum cryptosystems, namely sys- 
tems that remain secure in the presence of a quantum adversary. A promising 
direction is lattice-based cryptography, where the underlying problems are re- 
lated to finding short vectors in high dimensional lattices. These problems have 
so far remained immune to quantum attacks and some evidence suggests that 
they may be hard for quantum computers |Reg02| . 



As it is often the case, the most efficient constructions in lattice-based cryp- 
tography are set in the random oracle (RO) model [BR93| . For example, Gentry, 
Peikert, and Vaikuntanathan |GPV08| give elegant random oracle model con- 
structions for existentially unforgeable signatures and for identity-based encryp- 
tion. Gordon, Katz, and Vaikuntanathan |GKV10j construct a random oracle 
model group signature scheme. Boneh and Freeman |BF11) give a random or- 
acle homomorphic signature scheme and Cayrel et al. [CLRS10] give a lattice- 
based signature scheme using the Fiat-Shamir random oracle heuristic. Some of 
these lattice constructions can now be realized without random oracles, but at 
a significant cost in performance |CHKP10IA BBf Oa B oylOj . 

Modeling Random Oracles for Quantum Attackers. While quantum re- 
sistance is good motivation for lattice-based constructions, most random oracle 
systems to date are only proven secure relative to an adversary with classical 
access to the random oracle. In this model the adversary is given oracle access 
to a random hash function O : {0, 1}* — > {0, 1}* and it can only "learn" a value 
0(x) by querying the oracle O at the classical state x. However, to obtain a 
concrete system, the random oracle is eventually replaced by a concrete hash 
function thereby enabling a quantum attacker to evaluate this hash function on 
quantum states. To capture this issue in the model, we allow the adversary to 
evaluate the random oracle "in superposition" , that is, the adversary can submit 
quantum states \tp) = ^2 a x \x) to the oracle O and receives back the evaluated 
state ^2 a x \0{x)) (appropriately encoded to make the transformation unitary). 
We call this the quantum (-accessible) random oracle model. It complies with 
similar efforts from learning theory [BJ99 SG04] and computational complex- 
ity BBBV97 where oracles are quantum-accessible, and from lower bounds for 
quantum collision finders |AS04j . Still, since we are only interested in classical 
cryptosystems, honest parties and the scheme's algorithms can access O only 
via classical bit strings. 

Proving security in the quantum-accessible RO model is considerably harder 
than in the classical model. As a simple example, consider the case of digital 
signatures. A standard proof strategy in the classical settings is to choose ran- 
domly one of the adversary's RO queries and embed in the response a given 
instance of a challenge problem. One then hopes that the adversary uses this re- 
sponse in his signature forgery. If the adversary makes q random oracle queries, 
then this happens with probability 1/q and since q is polynomial this success 
probability is sufficiently high for the proof of security in the classical setting. 
Unfortunately, this strategy fails completely in the quantum-accessible random 
oracle model since every random oracle query potentially evaluates the random 
oracle at exponentially many points. Therefore, embedding the challenge in one 
response will be of no use to the reduction algorithm. This simple example shows 
that proving security in the classical RO model does not necessarily prove post- 
quantum security. 

More abstractly, the following common classical proof techniques are not 
known to carry over to the quantum settings offhand: 
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— Adaptive Programmability: The classical random oracle model allows a sim- 
ulator to program the answers of the random oracle for an adversary, often 
adaptively. Since the quantum adversary can query the random oracle with 
a state in superposition, the adversary may get some information about all 
exponentially many values right at the beginning, thereby making it difficult 
to program the oracle adaptively. 

— Extractability/Preimage Awareness: Another application of the random ora- 
cle model for classical adversaries is that the simulator learns the pre-images 
the adversary is interested in. This is, for example, crucial to simulate de- 
cryption queries in the security proof for OAEP [FOPSOlj . For quantum- 
accessible oracles the actual query may be hidden in a superposition of ex- 
ponentially many states, and it is unclear how to extract the right query. 

— Efficient Simulation: In the classical world, we can simulate an exponential- 
size random oracle efficiently via lazy sampling: simply pick random but 
consistent answers "on the fly". With quantum-accessible random oracles 
the adversary can evaluate the random oracle on all inputs simultaneously, 
making it harder to apply the on-demand strategy for classical oracles. 

— Rewinding/Partial Consistency: Certain random oracle proofs jPSOO] require 
rewinding the adversary, replaying some hash values but changing at least a 
single value. Beyond the usual problems of rewinding quantum adversaries, 
we again encounter the fact that we may not be able to change hash values 
unnoticed. We note that some form of rewinding is possible for quantum 
zero- knowledge |Wat09j . 

We do not claim that these problems arc insurmountable. In fact, we show 
how to resolve the issue of efficient simulation by using (quantum-accessible) 
pseudorandom functions. These are pseudorandom functions where the quan- 
tum distinguishcr can submit quantum states to the pseudorandom or random 
oracle. By this technique, we can efficiently simulate the quantum-accessible ran- 
dom oracle through the (efficient) pseudorandom function. While pseudorandom 
functions where the distinguisher may use quantum power but only gets classi- 
cal access to the function can be derived from quantum-immune pseudorandom 
generators }GGM86) . it is an open problem if the stronger quantum-accessible 
pseudorandom functions exist. 

Note, too, that we do not seek to solve the problems related to the random 
oracle model which appear already in the classical settings |CGH98j . Instead we 
show that for post-quantum security one should allow for quantum access to 
the random oracle in order to capture attacks that are available when the hash 
function is eventually instantiated. 

1.1 Our Contributions 

Separation. We begin with a separation between the classical and quantum- 
accessible RO models by presenting a two-party protocol which is: 

— secure in the classical random oracle model, 
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— secure against quantum attackers with classical access to the random oracle 
model, but insecure under any implementation of the hash function, and 

— insecure in the quantum-accessible random oracle model. 

The protocol itself assumes that (asymptotically) quantum computers are faster 
than classical (parallel) machines and uses the quadratic gap due to Grover's 
algorithms and its application to collision search [BHT98| to separate secure 
from insecure executions. 



Constructions. Next, we set out to give general conditions under which a 
classical RO proof implies security for a quantum RO. Our goal is to provide 
generic tools by which authors can simply state that their classical proof has the 
"right" structure and therefore their proof implies quantum security. We give 
two flavors of results: 

— For signatures, we define a proof structure we call a history-free reduction 
which roughly says that the reduction answers oracle queries independently 
of the history of queries. We prove that any classical proof that happens 
to be a history-free reduction implies quantum existential unforgeability for 
the signature scheme. We then show that the GPV random oracle signature 
scheme |GPV08j has a history-free reduction and is therefore secure in the 
quantum settings. 

Next, we consider signature schemes built from claw-frec permutations. The 
first is the Full Domain Hash (FDH) signature system of Bellare and Rog- 
away |BR93| . for which we show that the classical proof technique due to 
Coron |Cor00j is history-free. We also prove the quantum security of a variant 
of FDH due to Katz and Wang |KW03| which has a tight security reduction. 
Lastly, we note that, as observed in |GP V08] . claw-free permutations give rise 
to preimage sampleable trapdoor functions, which gives another FDH-like 
signature scheme with a tight security reduction. In all three cases the re- 
ductions in the quantum-accessible random oracle model achieve essentially 
the same tightness as their classical analogs. 

Interestingly, we do not know of a history-free reduction for the generic Full 
Domain Hash of Bellare and Rogaway |BR93| . One reason is that proofs 
for generic FDH must somehow program the random oracle, as shown in 
[FLR + ld . We leave the quantum security of generic FDH as an interest- 



ing open problem. It is worth noting that at this time the quantum secu- 
rity of FDH is somewhat theoretical since we have no candidate quantum- 
secure trapdoor permutation to instantiate the FDH scheme, though this 
may change once a candidate is proposed. 

— For encryption we prove the quantum CPA security of an encryption scheme 
due to Bellare and Rogaway [BR93| and the quantum CCA security of a 
hybrid encryption variant of [BR93 . 

Many open problems remain in this space. For signatures, it is still open to prove 
the quantum security of signatures that result from applying the Fiat-Shamir 
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heuristic to a £ identification protocol, for example, as suggested in |CLRS10] . 
Similarly, proving security of generic FDH is still open. For CCA-secure encryp- 
tion, it is unknown if generic CPA to CCA transformations, such as [F099 , 
are secure in the quantum settings. Similarly, it is not known if lattice-based 
identity-based encryption systems secure in the classical RO model (e.g. as 
in [CPV0 8 ABBlQb]) are also secure in the quantum random oracle model. 

Related Work. The quantum random oracle model has been used in a few 
previous constructions. Aaronson |Aar09j uses quantum random oracles to con- 
struct unclonablc public-key quantum money. Brassard and Salvail |BS08| give a 
modified version of Mcrkle's Puzzles, and show that any quantum attacker must 
query the random (permutation) oracle asymptotically more times than honest 
parties. Recently, a modified version was proposed that restores some level of se- 
curity even in the presence of a quantum adversary |BHK + lT] . Quantum random 
oracles have also been used to prove impossibility results for quantum compu- 
tation. For example, Bennett et al. |BBBV97] show that relative to a random 
oracle, a quantum computer cannot solve all of NP. 

Some progress toward identifying sufficient conditions under which classical 
protocols are also quantum immune has been made by Unruh |UnrlOj and Hall- 
grcn et al. [HSSllj . These results show that, if a cryptographic protocol can 
be shown to be (computationally |HSS11) resp. statistically [UnrlOj ) secure in 
Canetti's universal composition (UC) framework jCanOlj against classical ad- 
versaries, then the protocol is also resistant against (computationally bounded 
resp. unbounded) quantum adversaries. This, however, means that the underly- 
ing protocol must already provide strong security guarantees in the first place, 
namely, universal composition security, which is typically more than the afore- 
mentioned schemes in the literature satisfy. This also applies to similar results 
by Hallgren et al. [HSS11] for so-called simulation-based security notions for the 
starting protocol. Furthermore, all these results do not seem to be applicable 
immediately to the random oracle model where the quantum adversary now has 
quantum access to the random function (but where the ideal functionality for the 
random oracle in the UC framework would have only been defined for classical 
access according to the classical protocol specification), and where the question 
of instantiation is an integral step which needs to be considered. 

2 Preliminaries 

A non-negative function e = e(n) is negligible if, for all polynomials p(n) we have 
that e(n) < p(n)^ 1 for all sufficiently large n. The variational distance between 
two distributions D\ and D 2 over Q is given by 

|A-£>2| = ]T |Pr[s|A]-Pr[a:|I>2]|. 

x£f2 

If the distance between two output distributions is e, the difference in probability 
of the output satisfying a certain property is at most e. 
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A classical randomized algorithm A can be thought of in two ways. In the 
first, A is given an input x, A makes some coin tosses during its computation, and 
ultimately outputs some value y. We denote this action by A(x) where A(x) is a 
random variable. Alternatively, we can give A both its input x and randomness r 
in which case we denote this action as A(x; r). For a classical algorithm, A(x; r) 
is deterministic. An algorithm A runs in probabilistic polynomial-time (PPT) if 
it runs in polynomial time in the security parameter (which we often omit from 
the input for sake of simplicity). 



2.1 Quantum Computation 

We briefly give some background on quantum computation and refer to [NCOO 
for a more complete discussion. A quantum system A is associated to a (finite- 
dimensional) complex Hilbert space Ha with an inner product (-|-). The state 
of the system is described by a vector \ip) <G Ha such that the Euclidean norm 
II W) II = \/ (<p\p) i s 1- Given quantum systems A and B over spaces Ha and 
Hb, respectively, we define the joint or composite quantum system through the 
tensor product Ha ® Hb- The product state of \<pa) G Ha and \<p B ) € Hb 
is denoted by \<pa) ® \Pb} or simply \<pa) Wb)- An n-qubit system lives in the 
joint quantum system of n two-dimensional Hilbert spaces. The standard or- 
thonormal computational basis \x) for such a system is given by \xi) <g> ■ ■ ■ (3 \x n ) 

for X X \ • • • "-'71 ■ 

Any (classical) bit string x is encoded into a quantum state 
as |x). An arbitrary pure n-qubit state \ip) can be expressed in the computa- 
tional basis as \<p) = J2 x e{o i}» a ' x \ x ) wnere a x are complex amplitudes obeying 

E. T e{o,i}- l a *l 2 = L 

Transformations. Evolutions of quantum systems are described by unitary trans- 
formations with 1^4 being the identity transformation on register A. Given a joint 
quantum system over Ha ®Hb and a transformation Ua acting only on Ha, it 
is understood that Ua \<Pa) \<Pb) refers to (Ua ® Is) \<Pa) Ipb}- 

Information can be extracted from a quantum state \<p) by performing a 
positive-operator valued measurement (POVM) M = {Mi} with positive semi- 
definite measurement operators Mj that sum to the identity J2i — I- Outcome 
i is obtained with probability pi = (ip\ Mi \ip) . A special case are projective 
measurements such as the measurement in the computational basis of the state 
\(p) = J2x a ? \ x ) w hich yields outcome x with probability \a x \ 2 . We can also 
do a partial measurement on some of the qubits. The probability of the partial 
measurement resulting in a string x is the same as if we measured the whole state, 
and ignored the rest of the qubits. In this case, the resulting state will be the same 
as \<f>), except that all the strings inconsistent with x are removed. This new state 
will not have a norm of 1, so the actual superposition is obtained by dividing by 
the norm. For example, if we measure the first n bits of \<p) = J2 X y a x,y\x,y), 
we will obtain the measurement x with probability ^ , |a x ^'| 2 , and in this case 
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the resulting state will be 




Following [BBC + 98] . we model a quantum attacker .Aq with access to (pos- 
sibly identical) oracles 0\,Oi,... by a sequence of unitary transformations 
U\,Ox,U2, ■ ■ ■ ,Ot-i,Ut over k = poly(n) qubits. Here, oracle Oi : {0,1}™ — » 
{0,1}™ maps the first n + m qubits from basis state \x) \y) to basis state 
|x) \y © Oi(x)) for x <E {0,1}™ and y £ {0,1}™. If we require the access to 
Oi to be classical instead of quantum, the first n bits of the state are measured 
before applying the unitary transformation corresponding to Oi . Notice that any 
quantum-accessible oracle can also be used as a classical oracle. Note that the 
algorithm Aq may also receive some input \rp). 

To introduce asymptotics we assume that Aq is actually a sequence of such 
transformation sequences, indexed by parameter n, and that each transformation 
sequence is composed out of quantum systems for input, output, oracle calls, and 
work space (of sufficiently many qubits). To measure polynomial running time, 
we assume that each Ui is approximated (to sufficient precision) by members 
of a set of universal gates (say, Hadamard, phase, CNOT and ir/8; for sake of 
concreteness jNCOOj ). where at most polynomially many gates are used. Fur- 
thermore, T = T(n) is assumed to be polynomial, too. Note that T also bounds 
the number of oracle queries. 

We define the Euclidean distance ||0) — \ip)\ between two states as the value 

(Ex \ a x - Arl 2 ) 5 wherc \4>) =Y, x a x\ x ) and W = E x Px\x) ■ 

Define q r (\4>t}) to be the magnitude squared of r in the superposition of query 

t. We call this the query probability of r in query t. If we sum over all t, we get 

the total query probability of r. 

We will be using the following lemmas: 

Lemma 2.1 ( |BBBV97] Theorem 3.1). Let \tp) and \ip) be quant um states 
with Euclidean distance at most e. Then, performing the same measurement on 
\ip) and yields distributions with statistical distance at most 4e. 

Lemma 2.2 QBBBV97J Theorem 3.3). Let Aq be a quantum algorithm run- 
ning in time T with oracle access to O. Let e > and let S C [1,T] x {0, 1}™ be 
a set of time-string pairs such that E(t r)eS 9r(\4>t)) < £• If we modify O into an 
oracle O' which answers each query r at time t by providing the same string R 
(which has been independently sampled at random), then the Euclidean distance 
between the final states of Aq when invoking O and O' is at most yTe- 

2.2 Quantum- Accessible Random Oracles 

In the classical random oracle model [BR93 all algorithms used in the system are 
given access to the same random oracle. In the proof of security, the reduction 
algorithm answers the adversary's queries with consistent random answers. 
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In the quantum settings, a quantum attacker issues a random oracle query 
which is itself a superposition of exponentially many states. The reduction al- 
gorithm must evaluate the random oracle at all points in the superposition. To 
ensure that random oracle queries are answered consistently across queries, it 
is convenient to assume that quantum-resistant pseudorandom functions exist, 
and to implement this auxiliary random oracle with such a PRF. 

Definition 2.3 (Pseudorandom Function). A quantum- accessible pseudo- 
random function is an efficiently computable function PRF where, for all efficient 
quantum algorithms D, 



p T [D PRF ^(l n ) = 1] - Pr[L>°(->(l' 1 ) = 1] 



< e 



where e — e(n) is negligible in n, and where O is a random oracle, the first 
probability is over the keys k of length n, and the second probability is over all 
random oracles and the sampling of the result of D. 

We note that, following Watrous Wat 09 , mdistiiiguishability as above should 
still hold for any auxiliary quantum state a given as additional input to D (akin 
to non-uniformity for classical algorithms). We do not include such auxiliary 
information in our definition in order to simplify. 

We say that an oracle O' is computationally indistinguishable from a ran- 
dom oracle if, for all polynomial time quantum algorithms with oracle access, the 
variational distance of the output distributions when the oracle is O' and when 
the oracle is a truly random oracle O is negligible. Thus, simulating a random 
oracle with a quantum-accessible pseudorandom function is computationally in- 
distinguishable from a true random oracle. 

We remark that, instead of assuming that quantum-accessible PRFs exist, 
we can often carry out security reductions relative to a random oracle. Con- 
sider, for example, a signature scheme (in the quantum-accessible random oracle 
model) which we prove to be unforgeable for quantum adversaries, via a reduc- 
tion to the one-wayness of a trapdoor permutation against quantum inverters. 
We can then formally first claim that the scheme is unforgeable as long as in- 
verting the trapdoor permutation is infeasible even when having the additional 
power of a quantum-accessible random oracle; only in the next step we can 
then conclude that this remains true in the standard model, if we assume that 
quantum-accessible pseudorandom functions exist and let the inverter simulate 
the random oracle with such a PRF. We thus still get a potentially reasonable 
security claim even if such PRFs do not exist. This technique works whenever 
we can determine the success of the adversary (as in case of inverting a one-way 
function). 



2.3 Hard Problems for Quantum Computers 

We will use the following general notion of a hard problem. 
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Definition 2.4 (Problem). A problem is a pair P = (Gamep,ap) where 
Gamep specifies a game that a (possibly quantum) adversary plays with a clas- 
sical challenger. The game works as follows: 

• On input l n , the challenger computes a value x, which it sends to the ad- 
versary as its input 

• The adversary is then run on x, and is allowed to make classical queries to 
the challenger. 

• The adversary then outputs a value y, which it sends to the challenger. 

• The challenger then looks at x, y, and the classical queries made by the 
adversary, and outputs 1 or 0. 

The value ap is a real number between (inclusive) and 1 (exclusive). It may 
also be a function of n, but for this paper, we only need constant ap, specifically 
ap is always or |. 

We say that an adversary A wins the game Gamep if the challenger outputs 
f. We define the advantage Adv^p of A in problem P as 

AdvA,p = |Pr[j4 wins in Gamep] — op| 



Definition 2.5 (Hard Problem). A problem P = (Gamep, ap) is hard for 
quantum computers if, for all polynomial time quantum adversaries A, AdvA,p 
is negligible. 

2.4 Cryptographic Primitives 

For this paper, we define the security of standard cryptographic primitives in 
terms of certain problems being hard for quantum computers. We give a brief 
sketch here and refer to the appendix for supplementary details. 

A trapdoor function T is secure if Inv(J") = (GameiNV 0) is a hard 
problem for quantum computers, where in GamciNv, an adversary is given a 
random element y and public key, and succeeds if it can output an inverse for 
y relative to the public key. A preimage sampleable trapdoor function, T , is 
secure if Inv(J r ) as described above is hard, and if Go\(T) = (Gamecoi (•?""), 0) 
is hard for quantum computers, where in Gamecoi, an adversary is given a 
public key, succeeds if it can output a collision relative to that public key. A 
signature scheme S is secure if the game Sig-Forge(S) = (Gamesig(S), 0) is hard, 
where Gamcgi g is the standard existential unforgcability under a chosen message 
attack game. Lastly, a private (resp. public) key encryption scheme £ is secure 
if Sym-CCA(f) = (Gamc Sym (£), \) (resp. Asym-CCA(£) = (Gamc Asym (f), \)), 
where Games ym is the standard private key CCA attack game, and GameAsym 
is the standard public key attack game. 
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3 Separation Result 



In this section, wc discuss a two-party protocol that is provably secure in the ran- 
dom oracle model against both classical and quantum adversaries with classical 
access to the random oracle (and when using quantum-immune primitives). We 
then use the polynomial gap between the birthday attack and a collision finder 
based on Grover's algorithm to show that the protocol remains secure for cer- 
tain hash functions when only classical adversaries are considered, but becomes 
insecure for any hash function if quantum adversaries are allowed. Analyzing 
the protocol in the stronger quantum random oracle model, where we grant the 
adversary quantum access to the random oracle, yields the same negative result. 

3.1 Preliminaries 

We start this section by presenting the necessary definitions and assumptions 
for our construction. For sake of simplicity, we start with a quantum-immune 
identification scheme to derive our protocol; any other primitive or protocol can 
be used in a similar fashion. 

Identification Schemes. An identification scheme IS consists of three efficient 
algorithms (IS.KGen, V, V) where IS.KGen on input 1™ returns a key pair (sk, pk). 
The joint execution of "P(sk, pk) and V(pk) then defines an interactive protocol 
between the prover V and the verifier V. At the end of the protocol V outputs 
a decision bit b € {0, 1}. We assume completeness in the sense that for any 
honest prover the verifier accepts the interaction with output 6=1. Security of 
identification schemes is usually defined by considering an adversary A that first 
interacts with the honest prover to obtain some information about the secret 
key. In a second stage, the adversary then plays the role of the prover and has 
to make a verifier accept the interaction. We say that an identification scheme is 
sound if the adversary can convince the verifier with negligible probability only. 

(Near-) Collision- Resistant Hash Functions. A hash function H = (H.KGen, H.Eval) 
is a pair of efficient algorithms such that H.KGen for input 1™ returns a key 
k (which contains 1"), and H.Eval for input k and M £ {0,1}* determinis- 
tically outputs a digest H.Eval(fc, M). For a random oracle H we use as a 
"salt" and consider the random function H(k, •). The hash function is called 
near- collision-resistant if for any efficient algorithm A the probability that for 
k <- H.KGen(l"), some constant 1 < £ < n and (M, M') <- A(k,£) we have 
M ^ M' but H.Eval(fc,M)|^ = R.Eva\(k,M')\t, is negligible (as a function of n). 
Here we denote by x\e the leading i bits of the string x. Note that for I = n the 
above definition yields the standard notion of collision-resistance. 

In the classical setting, (near-)collision-resistance for any hash function is 
upper bounded by the birthday attack. This generic attack states that for any 
hash function with n bits output, an attacker can find a collision with probability 
roughly 1/2 by probing 2™/ 2 distinct and random inputs. For random oracles this 
attack is optimal. 
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Grover's Algorithm and Quantum Collision Search. Grovcr's algorithm [Gro96 Gro98 
performs a search on an unstructured database with N elements in time 0(y/~N) 
while the best classical algorithm requires O(N) steps. Roughly, this is achieved 
by using superpositions to examine all entries "at the same time" . Brassard et 
al. jBHT98] showed that this speed-up can also be obtained for solving the col- 
lision problem for a hash function H : {0,1}* — > {0,1}™. Therefore, one first 
selects a subset K of the domain {0, 1}* and then applies Grover's algorithm on 
an indicator function / that tests for any input M € {0, 1}*\K if there exists an 
M' G K such that H(M) = H(M') holds. By setting \K\ = s/2™, the algorithm 
finds a collision after 0(y2") evaluations of H with probability at least 1/2. 

Computational and Timing Assumptions. To allow reasonable statements about 
the security of our protocol we need to formalize assumptions concerning the 
computational power of the adversary and the time that elapses on quantum 
and classical computers. We first demand that the speed-up one can gain by 
using a parallel machine with many processors, is bounded by a fixed term. This 
basically resembles the fact that in the real world there is only a concrete and 
finite amount of equipment available that can contribute to such a performance 
gain. 

Assumption 1 (Parallel Speed-Up) Let T(C) denote the time that is re- 
quired to solve a problem C on a classical computer, and Tp(C) is the required 
time that elapses on a parallel system. Then, there exist a constant a > 1, such 
that for any problem C it holds that Tp(C) > T(C)/a. 

We also introduce two assumptions regarding the time that is needed to 
evaluate a hash function or to send a message between two parties. Note that 
both assumptions are merely for the sake of convenience, as one could patch the 
idea by relating the timings more rigorously. The first assumption states that 
the time that is required to evaluate a hash function H is independent of the 
input and the computational environment. 

Assumption 2 (Unit Time) For any hash function H and any input message 
M (resp. Mq for quantum-state inputs) the evaluation of H(M) requires a con- 
stant time T(H(M)) = Tp{H{M)) = Tq(H(Mq)) (where Tq denotes the time 
that elapses on a quantum computer) . 

Furthermore, we do not charge any extra time for sending and receiving 
messages, or for any computation other than evaluating a hash function (e.g., 
maintaining lists of values). 

Assumption 3 (Zero Time) Any computation or action that does not require 
the evaluation of a hash function, costs zero time. 

The latter assumption implicitly states that the computational overhead that 
quantum algorithms may create to obtain a speed-up is negligible when com- 
pared to the costs of a hash evaluation. This might be too optimistic in the near 
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future, as indicated by Bernstein |Ber09j . That is, Bernstein discussed that the 
overall costs of a quantum computation can be higher than of massive paral- 
lel computation. However, as our work addresses conceptional issues that arise 
when efficient quantum computers exist, this assumption is somewhat inherent 
in our scenario. 



3.2 Construction 



We now present our identification scheme between a prover V and a verifier V 
(see Figure [T]) The main idea is to augment a secure identification scheme IS 
by a collision-finding stage for some hash function H. In this first stage, the 
verifier checks if the prover is able to produce collisions on a hash function in 
a particular time. More precisely, the verifier starts for timekeeping to evaluate 



the hash function H.Eval(fc, •) on the messages (c) for c = 1, 2, . . 



for a 



key k chosen by the verifier and where (c) stands for the binary representation 
of c with log \p2^ bits. The prover has now to respond with a near-collision 

M ^ M' such that H.Eval(/s, M) = H.Eval(fc,M') holds for the first I bits. One 
round of the collision-stage ends if the verifier either receives such a collision or 
finishes its hash evaluations. The verifier and the receiver then repeat such 
a round r = poly(n) times, sending a fresh key k in each round. 

Subsequently, both parties run the standard identification scheme. At the 
end, the verifier accepts if the prover was able to find enough collisions in the 
first stage or identifies correctly in the second stage. Thus, as long as the prover is 
not able to produce collisions in the required time, the protocol mainly resembles 
the IS protocol. 

Completeness of the IS* protocol follows easily from the completeness of the 
underlying IS scheme. 



Security against Classical and Quantum Adversaries. To prove security of our 
protocol, we need to show that an adversary A after interacting with an honest 
prover V*, can subsequently not impersonate V* such that V* will accept the 
identification. Let I be such that I > 6 log(a) where a is the constant reflecting 
the bounded speed-up in parallel computing from Assumption (1). By assuming 
that IS = (IS.KGen, V, V) is a quantum-immune identification scheme, we can 
show that IS* is secure in the standard random oracle model against classical 
and quantum adversaries. 

The main idea is that for the standard random oracle model, the ability of 
finding collisions is bounded by the birthday attack. Due to the constraint of 
granting only time O(v^) for the collision search and setting I > 61og(a), even 
an adversary with quantum or parallel power is not able to make at least 
random oracle queries. Thus, A has only negligible probability to respond in 
more than 1/4 of r rounds with a collision. 

When considering only classical adversaries, we can also securely instantiate 
the random oracle by a hash function H that provides near-collision-resistance 
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accept if b — 1 




or collCount > r/4 




Fig. 1. The IS*-Identification Protocol 



close to the birthday bound. Note that this property is particularly required 
from the SHA-3 candidates |NIS07j . 

However, for adversaries „4q with quantum power, such an instantiation is 
not possible for any hash function. This stems from the fact that .Aq can locally 
evaluate a hash function on quantum states which in turns allows to apply 
Grovcr's search algorithm. Then an adversary will find a collision in time \p2^ 
with probability at least 1/2, and thus will be able to provide r/4 collisions with 
noticeable probability. The same result holds in the quantum-accessible random 
oracle model, since Grover's algorithm only requires (quantum) black-box access 
to the hash function. 

Formal proofs of all statements are given in Appendix IbI 

4 Signature Schemes in the Quantum- Accessible Random 
Oracle Model 

We now turn to proving security in the quantum-accessible random oracle model. 
We present general conditions for when a proof of security in the classical random 
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oracle model implies security in the quantum-accessible random oracle model. 
The result in this section applies to signatures whose classical proof of security 
is a history-free reduction as defined next. Roughly speaking, history-freeness 
means that the classical proof of security simulates the random oracle and sig- 
nature oracle in a history-free fashion. That is, its responses to queries do not 
depend on responses to previous queries or the query number. We then show that 
a number of classical signature schemes have a history-free reduction thereby 
proving their security in the quantum-accessible random oracle model. 

Definition 4.1 (History- free Reduction). A random oracle model signature 
scheme S = [G,S , V ) has a history-free reduction from a hard problem P = 
(Gamep, 0) if there is a proof of security that uses a classical PPT adversary A 
for S to construct a classical PPT algorithm B for problem P such that: 

• Algorithm B for P contains four explicit classical algorithms: START, 
RAND° C , SIGN 0<= , and FINISH° C . The latter three algorithms have ac- 
cess to a shared classical random oracle O c . These algorithms, except for 
RAND° C , may also make queries to the challenger for problem P. The al- 
gorithms are used as follows: 

(1) Given an instance x for problem P as input, algorithm B first runs 
START(a;) to obtain (pk, z) where pk is a signature public key and z is 
private state to be used by B. Algorithm B sends pk to A and plays the 
role of challenger to A. 

(2) When A makes a classical random oracle query to 0(r), algorithm B re- 
sponds with RAND° C (r, z). Note that RAND is given the current query 
as input, but is unaware of previous queries and responses. 

(3) When A makes a classical signature query S(sk,m), algorithm B re- 
sponds with SIGN c (m,z). 

(4) When A outputs a signature forgery candidate (m,o~), algorithm B out- 
puts FINISH 0c (to,ct,z). 

• There is an efficiently computable function INSTANCE(pk) which pro- 
duces an instance x of problem P such that START(x) = (pk, z) for some z. 
Consider the process of first generating (sk, pk) from G(l n ), and then com- 
puting x = INSTANCE(pk). The distribution of x generated in this way is 
negligibly close to the distribution of x generated in Gamep. 

• For fixed z, consider the classical random oracle 0(r) = RAND c (r, z). 
Define a quantum oracle O quant , which transforms a basis element \x,y) 
into \x, y © 0(x)} . We require that O quan t is quantum computationally in- 
distinguishable from a random oracle. 

• SIGN° C either aborts (and hence B aborts) or it generates a valid signa- 
ture relative to the oracle 0(r) — RAND c (r, z) with a distribution negli- 
gibly close to the correct signing algorithm. The probability that none of the 
signature queries abort is non-negligible. 
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• If (to, a) is a valid signature forgery relative to the public key pk and oracle 
0(r) = RAND° c (r,z) then the output of B (i.e. FINISH° C (to, a, z)) causes 
the challenger for problem P to output 1 with non-negligible probability. □ 

We now show that history-free reductions imply security in the quantum setting. 

Theorem 4.2. Let S = (G,S,V) be a signature scheme. Suppose that there is 
a history-free reduction that uses a classical PPT adversary A for S to con- 
struct a PPT algorithm B for a problem P. Further, assume that P is hard for 
polynomial-time quantum computers, and that quantum-accessible pseudorandom 
functions exist. Then S is secure in the quantum-accessible random oracle model. 

Proof. The history-free reduction includes five (classical) algorithms START, 
RAND, SIGN, FINISH, and INSTANCE, as in Definition OJ We prove the 
quantum security of S using a sequence of games, where the first game is the 
standard quantum signature game with respect to iS. 

Game 0. Define Gameo as the game a quantum adversary Aq plays for prob- 
lem Sig-Forge(S) . Assume towards contradiction that Aq has a non- negligible 
advantage. 

Game 1. Define Gamci as the following modification to Gameo: after the 
challenger generates (sk, pk), it computes x <— INSTANCE(pk) as well as 
(pk, z) <— START(x). Further, instead of answering Aq's quantum random 
oracle queries with a truly random oracle, the challenger simulates for Aq a 
quantum-accessible random oracle O quan t as an oracle that maps a basis ele- 
ment \x, y) into the element \x,y O RAND° C (x, z)) , where O c is a truly (classi- 
cal) random oracle. The history-free guarantee on RAND ensures that Oq Uan t is 
computationally indistinguishable from random for quantum adversaries. There- 
fore, the success probability of Aq in Gamei is negligibly close to its success 
probability in Gameo, and hence is non- negligible. 

Game 2. Modify the challenger from Gamci as follows: instead of generating 
(sk, pk) and computing x = INSTANCE(pk), start off by running the challenger 
for problem P. When that challenger sends x, then start the challenger from 
Gamei using this x. Also, when Aq asks for a signature on to, answer with 
SIGN° c (m,z). First, since INSTANCE is part of a history-free reduction, this 
change in how we compute x only negligibly affects the distribution of x, and 
hence the behavior of Aq. Second, as long as all signing algorithms succeed, 
changing how we answer signing queries only negligibly affects the behavior of 
Aq. Thus, the probability that Aq succeeds is the product of the following two 
probabilities: 

• The probability that all of the signing queries are answered without abort- 
ing. 

• The probability that Aq produces a valid forgery given that the signing 
queries were answered successfully. 
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The first probability is non-negligible by assumption, and the second is negligibly 
close to the success probability of Aq in Gamei, which is also no n- negligible. 
This means that the success probability of Aq in Game2 is non-negligible. 

Game 3. Define Game3 as in Game2, except for two modifications to the chal- 
lenger: First, it generates a key k for the quantum-accessible PRF. Then, to 
answer a random oracle query O qU ant ( 1 (j>) ) , the challenger applies the unitary 
transformation that takes a basis element \x,y) into \x,y® PRF(fc, a;)). If the 
success probability in Game3 was non- negligibly different from that of Game2, 
we could construct a distinguisher for PRF which plays both the role of Aq and 
the challenger. Hence, the success probability in Game3 is negligibly close to 
that of Game2, and hence is also non- negligible. 

Given a quantum adversary that has non-negligible advantage in Game 3 we 
construct a quantum algorithm Bq that breaks problem P. When Bq receives 
instance x from the challenger for problem P, it computes (pk, z) <— START(a;) 
and generates a key k for PRF. Then, it simulates Aq on pk. Bq answers random 
oracle queries using a quantum-accessible function built from RAND PRF ^ fc ''- ) (-, z) 
as in Game 1. It answers signing queries using SIGN PRF(Av) (-,z). Then, when 
Aq outputs a forgery candidate (m, a), Bq computes FINISH PRF ( Av - ) (m, a, z), 
and returns the result to the challenger for problem P. 

Observe that the behavior of Aq in Game3 is identical to that as a subroutine 
of Bq. Hence, Aq as a subroutine of Bq will output a valid forgery (m,a) with 
non-negligible probability. If (m, a) is a valid forgery, then since FINISH is part 
of a history-free reduction, FINISH PRF(Av) (m, a, z) will cause the challenger for 
problem P to accept with non-negligible probability. Thus, the probability that 
P accepts is also non- negligible, contradicting our assumption that P is hard for 
quantum computers. 

Hence we have shown that any polynomial quantum algorithm has negligible 
advantage against problem Sig-Forge(S) which completes the proof. □ 

We note that, in every step of the algorithm, the adversary Aq remains in a 
pure state. This is because, in each game, Aq's state is initially pure (since it is 
classical), and every step of the game either involves a unitary transformation, a 
partial measurement, or classical communication. In all three cases, if the state 
is pure before, it is also pure after. 

We also note that we could have stopped at Game2 and assumed that the 
cryptographic problem P is hard relative to a (quantum-accessible) random or- 
acle. Assuming the existence of quantum-accessible pseudorandom functions al- 
lows us to draw the same conclusion in the standard (i.e., non-relativized) model 
at the expense of an extra assumption. 

4.1 Secure Signatures From Preimage Sampleable Trapdoor 
Functions (PSF) 

We now use Theorem l4.2l to prove the security of the Full Domain Hash signature 
scheme when instantiated with a preimage sampleable trapdoor function (PSF) , 
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such as the one proposed in |GPV08j . Loosely speaking, a PSF J 7 is a tuple 
of PPT algorithms (G, Sample, /, where G(-) generates a key pair (pk, sk), 
/(pk, •) defines an efficiently computable function, / _1 (sk, y) samples from the 
set of pre-images of y, and Samplc(pk) samples x from the domain of /(pk, •) 
such that /(pk, x) is statistically close to uniform in the range of /(pk, •). The 
PSF of [GPV08j is not only one-way, but is also collision resistant. 

Recall that the full domain hash (FDH) signature scheme |BR93| is defined 
as follows: 

Definition 4.3 (Full Domain Hash). Let T = (Go,/,/" 1 ) be a trapdoor 
permutation, and O a hash function whose range is the same as the range of f. 
The full domain hash signature scheme is S = (G, T, V) where: 

. G = G 

• S°(sk,m) = /^(sk, 0(m)) 

v o, l ^ I 1 ifO(m) = f(pk,<r) 

• V^(pk, m,a) = < 

I otherwise 

Gentry et al. |GPV08| show that the FDH signature scheme can be instan- 
tiated with a PSF T = (G, Sample, /, / _1 ) instead of a trapdoor permutation. 
Call the resulting system FDH-PSF. They prove that FDH-PSF is secure against 
classical adversaries, provided that the pre-image sampling algorithm used dur- 
ing signing is derandomized (e.g. by using a classical PRF to generate its random 
bits) . Their reduction is not quite history- free, but we show that it can be made 
history-free. 

Consider the following reduction from a classical adversary A for the FDH- 
PSF scheme S to a classical collision finder B for T: 

• On input pk, B computes START(pk) := (pk, pk), and simulates A on pk. 

• When A queries 0(r), B responds with 

RAND° c (r, pk) := /(pk, Sample(l"; O c (r))). 

• When A queries ^(sk, m), B responds with 

SIGN° c (m,pk) := Sample(l n ;O c (m)). 

• When A outputs (m,a), B outputs 

FINISH° c (m,cr,pk) := (Sample(l n ; O c (m)), a). 

In addition, we define INSTANCE(pk) := pk. Algorithms INSTANCE and 
START trivially satisfy the requirements of history- freeness (Definition 14. 1[) . 
Before showing that the above reduction is in history-free form, we need the 
following technical lemma whose proof is given in the appendix . 

Lemma 4.4. Say A is a quantum algorithm that makes q quantum oracle queries. 
Suppose further that we draw the oracle O from two distributions. The first is the 
random oracle distribution. The second is the distribution of oracles where the 
value of the oracle at each input x is identically and independently distributed by 
some distribution D whose variational distance is within e from uniform. Then 
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the variational distance between the distributions of outputs of A with each oracle 
is at most 4g 2 y / e. 

Proof Sketch. We show that there is a way of moving from O to Od such 
that the oracle is only changed on inputs in a set K where the sum of the 
amplitudes squared of all k € K, over all queries made by A, is small. Thus, 
we can use Lemma 12.21 to show that the expected behavior of any algorithm 
making polynomially many quantum queries to O is only changed by a small 
amount. □ 
Lemma |4 . 41 shows that we can replace a truly random oracle O with an oracle 
Od distributed according to distribution D without impacting A, provided D is 
close to uniform. Note, however, that while this change only affects the output 
of A negligibly, the effects are larger than in the classical setting. If A only made 
classical queries to O, a simple hybrid argument shows that changing to Od 
affects the distribution of the output of A by at most qe, as opposed to 4g 2 v / e in 
the quantum case. Thus, quantum security reductions that use Lemma 14.41 will 
not be as tight as their classical counterparts. 

We now show that the reduction above is history-free. 

Theorem 4.5. The reduction above applied to FDH-PSF is history-free. 

Proof. The definition of a PSF implies that the distribution of /(pk, Samplc(l™)) 
is within e sam pic of uniform, for some negligible e samp i . Now, since O(r) = 
RAND° C (r, pk) = /(pk, Samplc(l"; O c (r))) and O c is a true random oracle, 
the quantity 0(r) is distributed independently according to a distribution that 
is Esampie away from uniform. Define a quantum oracle O qua ,nt which transforms 
the basis state \x, y) into \x,y®0{x)). Using Lemma |4.4[ for any algorithm 
B making q random oracle queries, the variational distance between the prob- 
ability distributions of the outputs of B using a truly random oracle and the 
"not-quite" random oracle O quan t is at most 4q ,2 1 ye samp i e , which is still negligi- 
ble. Hence, O quan t is computationally indistinguishable from random. 

Gentry et al. |GPV08j also show that SIGN° c (m, pk) is consistent with 
RAND° C (■, pk) for all queries, and that if A outputs a valid forgery (m, <r), 
FINISH° c (m,cr, pk) produces a collision for JF with probability 1 — 2 E , where 
E is the minimum over all y in the range of /(pk, •) of the min-entropy of the 
distribution on a given /(pk, a) — y. The PSF of Gentry et al. |GPV08j has 
super- logarithmic min-entropy, so 1 — 2~ E is negligibly close to 1, though any 
constant non-zero min-entropy will suffice to make the quantity a non-negligible 
fraction of 1. □ 

We note that the security proof of Gentry et al. [GPV08j is a tight reduction 
in the following sense: if the advantage of an adversary A for S is e, the reduction 
gives a collision finding adversary B for T with advantage negligibly close to e, 
provided that the lower bound over y in the range of /(pk, ■) of the min-entropy 
of a given /(pk, a) = y is super-logarithmic. If the PSF has a min-entropy of 1, 
the advantage of B is still e/2. 
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The following corollary, which is the main result of this section, follows from 
Theorems O and (|4T5]l . 

Corollary 4.6. If quantum-accessible pseudorandom functions exist, and T is 
a secure PSF against quantum adversaries, then the FDH-PSF signature scheme 
is secure in the quantum-accessible random oracle model. 

4.2 Secure Signatures from Claw-Free Permutations 

In this section, we show how to use claw-free permutations to construct three sig- 
nature schemes that have history-free reductions and are therefore secure in the 
quantum-accessible random oracle model. The first is the standard FDH from 
Definition 14.31 but when the underlying permutation is a claw- free permutation. 
We adapt the proof of Coron |Cor00j to give a history-free reduction. The second 
is the Katz and Wang |KW03j signature scheme, and we also modify their proof 
to get a history-free reduction. Lastly, following Gentry et al. |GPV08j . we note 
that claw-free permutations give rise to a pre-image sampleable trapdoor func- 
tion (PSF) , which can then be used in FDH to get a secure signature scheme as 
in Section |4"7T1 The Katz- Wang and FDH-PSF schemes from claw- free permuta- 
tions give a tight reduction, whereas the Coron-based proof loses a factor of q s 
in the security reduction, where q s is the number of signing queries. 

Recall that a claw-free pair of permutations [GMR88 is a pair of trapdoor 
permutations ^2)1 where Ti = (Gj, fi, f^ 1 ), with the following properties: 

• Gi = G 2 - Define G = G\ = G 2 - 

• For any key pk, /i(pk, •) and f 2 (pk, •) have the same domain and range. 

• Given only pk, the probability that any PPT adversary can find a pair 
(xi,X2) such that /i(pk,xi) = ./2(pk, x 2 ) is negligible. Such a pair is called 
a claw. 

Dodis and Reyzin jDR03] note that claw-free permutations are a general- 
ization of trapdoor permutations with a random self-reduction. A random self- 
reduction is a way of taking a worst-case instance x of a problem, and converting 
it into a random instance y of the same problem, such that a solution to y gives 
a solution to x. Dodis and Reyzin |DR03] show that any trapdoor permutation 
with a random self reduction (e.g. RSA) gives a claw-free pair of permutations. 

We note that currently there arc no candidate pairs of claw-free permutations 
that are secure against quantum adversaries, but this may change in time. 

FDH Signatures from Claw- Free Permutations Coron |Cor00j shows that 
the Full Domain Hash signature scheme, when instantiated with the RSA trap- 
door permutation, has a tighter security reduction than the general Full Domain 
Hash scheme, in the classical world. That is, Coron's reduction loses a factor 
of approximately q s , the number of signing queries, as apposed to q%, the num- 
ber of hash queries. Of course, the RSA trapdoor permutation is not secure 
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against quantum adversaries, but his reduction can be applied to any claw-free 
permutation and is equivalent to a history-free reduction with similar tightness. 

To construct a FDH signature scheme from a pair of claw-free permutations 
(J 7 !, ^2), we simply instantiate FDH with T\, and ignore the second permutation 
J-2, to yield the following signature scheme 

• G is the generator for the pair of claw-free permutations. 

• S°(sk,m) = /f^sk, O(m)) 

• V° (pk,m,<r) = 1 if and only if /i(pk, a) = 0(m). 

We now present a history-free reduction for this scheme. The random oracle 
for this reduction, O c (r), returns a random pair (a, b), where a is a random 
element from the domain of T\ and F2 , and b is a random element from { 1 , . . . , p} 
for some p to be chosen later. 

We construct history-free reduction from a classical adversary A for S to a 
classical adversary B for {J-\, J- 2)- Algorithm B, on input pk, works as follows: 

• Compute START(pk, y) = (pk, pk), and simulate A on pk. Notice that z = 
pk is the state saved by B. 

• When A queries O(r), compute RAND° c (r, pk). For each string r, RAND 
works as follows: compute (a, b) <— O c (r). If b = 1, return /2(pk,a). Other- 
wise, return /i(pk, a) 

• When A queries S(sk, m), compute SIGN c (m, pk). SIGN works as follows: 
compute (a, b) <— O c (m) and return a if b =/= 1. Otherwise, fail. 

• When A returns (m, cr), compute FINISH° C (m, cr, pk). FINISH works as 
follows: compute (a, b) O c (m) and output (a, a). 

In addition, we have INSTANCE(pk) = pk and START(INSTANCE(pk)) = 
(pk, pk), so INSTANCE and START satisfy the required properties. 

Theorem 4.7. The reduction above is in history-free form. 

Proof. RAND c (r, pk) is completely random and independently distributed, 
as /i(pk,a) and /2(pk, a) are both random (/f,(pk, •) is a permutation and a is 
truly random). As long as b 7^ 1, where (a, b) = O c (m), SIGN° c (m, pk) will be 
consistent with RAND. This is because F aAND ° c (->P k )(pk, m, SIGN° c (m, pk)) 
outputs 1 if RAND° c (m, pk) = A(pk, SIGN° c (m, pk)). But RAND° c (m, pk) = 
/i(pk,a) (since b ^ 1), and SIGN° c (m, pk)) = a. Thus, the equality holds. The 
probability over all signature queries of no failure is (1 — l/p) 9SIGN . If we chose 
P = 9sign, this quantity is at least er 1 — o(l), which is non- negligible. 

Suppose A returns a valid forgery (m, a), meaning A never asked for a forgery 
on m and /i(sk, a) = RAND° c (m, pk). If b = 1 (where (a, b) = O c {m)), then 
we have /i(sk, <r) = RAND° c (m, pk) = /2(pk, a), meaning that (cr, a) is a claw. 
Since A never asked for a signature on m, there is no way A could have figured 
out a, so the case where 6=1 and a is the preimage of 0{m) under fi-, and the 
case where b 7^ 1 and a is the preimage of 0(m) under f\ are indistinguishable. 
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Thus, b = 1 with probability 1/p. Thus, B converts a valid signature into a claw 
with non-negligible probability. □ 



Corollary 4.8. If quantum-accessible pseudorandom junctions exists, and (JFi,^) 
is a pair claw-free trapdoor permutations, then the FDH scheme instantiated with 
J-\ is secure against quantum adversaries. 

Note that in this reduction, our simulated random oracle is truly random, 
so we do not need to rely on Lemma T4. 41 Hence, the tightness of the reduction 
will be the same as the classical setting. Namely, if the quantum adversary A 
has advantage e when making (/sign signature queries, B will have advantage 
approximately e/gsiGN- 

The Katz-Wang Signature Scheme In this section, we consider a variant 
of FDH due to Katz and Wang [KW03] . This scheme admits an almost tight 
security reduction in the classical world. That is, if an adversary has advantage 
e, the reduction gives a claw finder with advantage e/2. Their proof of security is 
not in history-free form, but it can be modified so that it is in history-free form. 
Given a pair of trapdoor permutation (J 7 !, IF2), the construction is as follows: 

• G is the key generator for J 7 . 

• S°(sk,m) = /f 1 (sk,0(6,m)) for a random bit b. 

• V°(pk, to, a) is 1 if either /i(pk, tr) = O(0, m) or /i(pk, a) = 0(1, to) 

We construct a history-free reduction from an adversary A for S to an ad- 
versary B for (J- 1, T2). The random oracle for this reduction, O c (r), generates 
a random pair (a, 6), where a is a random element from the domain of T\ and 
J-2, and b is a random bit. On input pk, B works as follows: 

• Compute START(pk, y) = (pk, pk), and simulate A on pk. Notice that z = 
pk is the state saved by B. 

• When A queries 0(b, r), compute RAND° C (b, r, pk). For each string (b,r), 
RAND works as follows: compute (a, b') = O c (r). lib = b' , return /i(pk, a). 
Otherwise, return /2(pk, a). 

• When A queries 5(sk, to), compute SIGN° c (to, pk). SIGN works as follows: 
compute (a, b) = O c (m) and return a. 

• When A returns (m,o~), compute FINISH° C (to, er, pk). FINISH works as 
follows: compute (a, 6) = O c (m). If a = a, abort. Otherwise, output (cr, a). 

In addition, we have INSTANCE(pk) = pk and START(INSTANCE(pk)) = 
(pk, pk), so INSTANCE and START satisfy the required properties. 

Theorem 4.9. The reduction above is in history-free form. 

Proof. RAND° C (6, r, pk) is completely random and independently distributed, 
as /i(pk,a) and /2(pk, a) are both random (/& is a permutation and a is truly 
random). Observe that /i(pk, SIGN° c (to, pk)) = /i(pk, a) = 0(b, to) where 
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(a,b) = O c (m). Thus, signing queries are always answered with a valid signa- 
ture, and the distribution of signatures is identical to that of the correct signing 
algorithm since b is chosen uniformly. 

Suppose A returns a valid forgery (m, a). Let (a, b) = O c (m). There are two 
cases, corresponding to whether a corresponds to a signature using b or 1 — b. 
In the first case, we have /i(pk, a) = 0(b,m) = /i(pk,a), meaning a = a, so 
we abort. Otherwise, /i(pk, a) = 0(1 — b,m) = /2(pk, a), so (a, a) form a claw. 
Since the adversary never asked for a signing query on m, these two cases are 
indistinguishable by the same logic as the proof for FDH. Thus, the probability 
of failure is at most a half, which is non-negligible. □ 

Corollary 4.10. If quantum-accessible pseudorandom functions exists, and ( T\ , T 2 ) 
is a pair claw-free trapdoor permutations, then the Katz- Wang signature scheme 
instantiated with T\ is secure against quantum adversaries. 

As in the case of FDH, our simulated quantum-accessible random oracle is 
truly random, so we do not need to rely on Lemma 14.41 Thus, the tightness of 
our reduction is the same as the classical case. In particular, if the quantum 
adversary Aq has advantage e then B will have advantage e/2. 

PSF Signatures from Claw-Free Permutations Gentry ct al. jGP V08 
note that Claw-Free Permutations give rise to pre-image sampleable trapdoor 
functions (PSFs). These PSFs can then be used to construct an FDH signature 
scheme as in Section |4~T1 

Given a pair of claw- free permutations (Ti,^), define the following PSF: G 
is just the generator for the pair of permutations. Samplc(pk) generates a random 
bit b and random x in the domain of fb, and returns (x, b). /(pk, x, b) = /b(pk, x), 
and / _1 (sk, i/) = (/ b _1 (sk, y), b) for a random b. Suppose we have a collision 
((x u bi), (x 2 ,b 2 )) for this PSF. Then 

/ 6l (pk,xi) = .f(pk,xi,fei) = f(pk,x 2 ,b 2 ) = f b2 (pk,x 2 ) 

If b\ = b 2 , then x\ = x 2 since fb x is a permutation. But this is impossible since 
(x\,b\) ^ {x 2 ,b<z). Thus, b\ ^ b 2 , so one of (x±,x 2 ) or (x 2 ,xi) is a claw for 

Hence, we can instantiate FDH with this PSF to get the following signature 
scheme: 

• G is the generator for the permutations. 

• S°(sk,m) = (f b ~ 1 (sk,0(m)),b) for a random bit b. 

• V (pk, m, (o~,b)) = 1 if and only if /f,(pk,cr) = O(m). 

The security of this scheme follows from Corollary |4.6l with a similar tightness 
guarantee (this PSF has only a pre-image min-entropy of 1, which results in a 
loss of a factor of two in the tightness of the reduction). In particular, if we have 
a quantum adversary Aq for £ with advantage e, we get a quantum algorithm 
Bq for the PSF with advantage e/2, which gives us a quantum algorithm Cq 
that finds claws of (F\,F 2 ) with probability e/2. 
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5 Encryption Schemes in the Quantum- Accessible 
Random Oracle Model 

In this section, we prove the security of two encryption schemes. The first is the 
BR encryption scheme due to Bellare and Rogaway [BR93j . which we show is 
CPA secure. The second is a hybrid generalization of the BR scheme, which we 
show is CCA secure. 

Ideally, we could define a general type of classical reduction like we did for 
signatures, and show that such a reduction implies quantum security. Unfor- 
tunately, defining a history-free reduction for encryption is considerably more 
complicated than for signatures. We therefore directly prove the security of two 
random oracle schemes in the quantum setting. 

5.1 CPA Security of BR Encryption 

In this section, we prove the security of the BR encryption scheme |BR93| against 
quantum adversaries: 

Definition 5.1 (BR Encryption Scheme). Let T = (Go, /, / _1 ) be an infec- 
tive trapdoor function, and O a hash function with the same domain as /(pk, •). 
We define the following encryption scheme, £ = (G, E, D) where: 

. G = G 

• E (pk, m) = (/(pk, r), 0(r) ©to) for a randomly chosen r. 
. C°(sk,(y,c)) = ce.r 1 (sk,zj) 

A candidate quantum-immune injective trapdoor function can be built from hard 
problems on lattices |P W08] . 

Theorem 5.2. // quantum-accessible pseudorandom functions exists and T is 
a quantum-immune injective trapdoor function, then £ is quantum CPA secure. 

We omit the proof of Theorcm l5.2l bccause the CPA security of the BR encryption 
scheme is a special case of the CCA security of the hybrid encryption scheme in 
the next section. 

5.2 CCA Security of Hybrid Encryption 

We now prove the CCA security of the following standard hybrid encryption, 
a generalization of the BR encryption scheme scheme [BR93| . built from an 
injective trapdoor function and symmetric key encryption scheme. 

Definition 5.3 (Hybrid Encryption Scheme). Let T = (Go,/,/ -1 ) be an 
injective trapdoor function, and £s = (Es,Ds) be a CCA secure symmetric key 
encryption scheme, and O a hash function. We define the following encryption 
scheme, £ = (G, E, D) where: 
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• _E°(pk,m) = (/(pk, r), Eg(0(r), m)) for a randomly chosen r. 

• D°(sk, (y, c)) = D s (0(r'),c) where r' = / _1 (sk, y) 

We note that the BR encryption scheme from the previous section is a special 
case of this hybrid encryption scheme where £s is the one-time pad. That is, 
Es{k, m) — fc © m and Ds(k, c) = k © c. 

Theorem 5.4. If quantum- accessible pseudorandom functions exists, J 7 is a 
quantum-immune injective trapdoor function, and Eg * s a quantum CCA secure 
symmetric key encryption scheme, then £ is quantum CCA secure. 

Proof. Suppose we have an adversary Aq that breaks £. We start with the 
standard security game for CCA secure encryption: 

Game 0. Define Gameo as the game a quantum adversary Aq plays for problem 
Asym-CCA(£). 

Game 1. Define Gamci as the following game: the challenger generates (sk, pk) <h- 
G(l"), a random r in the domain of J 7 , a random k in the key space of £s, and 
computes y = /(pk,r). The challenger has access to a quantum-accessible ran- 
dom oracle O q whose range is the key space of £s- It then sends pk to Aq. The 
challenger answers queries as follows: 

• Random oracle queries are answered with the random oracle O qua nt , which 
takes a basis element \x,y) into \x,y® O q (f(pk,x))). 

• Decryption queries on (y', c') are answered as follows: 
Case 1: If y = y', respond with D$(k, c'). 

Case 2: If y ^ y', respond with Ds(O q (y'), c'). 

• The challenge query on (mo, mi) is answered as follows: choose a random 
b. Then, respond with (y, Es{k,mb)). 

When Aq responds with b' , we say that Aq won if b = V . 

Observe that, because / is injective and O q is random, the oracle O quan t is a 
truly random oracle with the same range as O q . The challenge ciphertext (y, c) 
seen by Aq is distributed identically to that of Gameo- Further, it is a valid 
encryption of m& relative to the random oracle being O qua nt if O q (y) = k. For 
y' 7^ y, the decryption of (y', c') is 

D s (O q (y'),c') = DsiO^if-^sKy'))^') = (sk, (y',c')) 

Which is correct. Likewise, if O q (y) = k, the decryption of (y,c') is also correct. 
Thus, the view of Aq in Gamei is identical to that in Gameo if O q (y) = k. We 
now make the following observations: 

• The challenge query and decryption query answering algorithms never query 
O q on y. 
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• Each quantum random oracle query from the adversary to O qua nt leads 
to a quantum random oracle query from the challenger to O q . The query 
magnitude of y in the challenger's query to O q is the same as the query 
magnitude of r in the adversary's query O qua nt- 

Let e be the sum of the square magnitudes of y over all queries made to O q (i.e. 
the total query probability of y) . This is identical to the total query probability 
of r over all queries Aq makes to O quan t • 

We now construct a quantum algorithm B-p 9 that uses a quantum-accessible 
random oracle O q , and inverts / with probability e/q, where q is the number of 
random oracle queries made by Aq. B^ q takes as input (pk, y), and its goal is 
to output r = / _1 (sk,y). works as follows: 

• Generate a random k in the key space of £s- Also, generate a random 
i G {1, q}. Now, send pk to Aq and play the role of challenger to Aq. 

• Answer random oracle queries with the random oracle O qU ant , which takes 
a basis element \x,y) into \x, y © O q (f (pk, x))) . 

• Answer decryption queries on (y',c') as follows: 

Case 1: If y = y', respond with D$(k, c'). 
Case 2: If y ^ y', respond with Ds(O q (y'), c'). 

• Answer the challenge query on (mo, mi) as follows: choose a random b. 
Then, respond with (y, Es(k,mb)). 

• At the ith random oracle query, sample the query to get r' , and output r' 
and terminate. 

Comparing our definition of B® q to Gamei , we can conclude that the view seen 
by Aq in both cases is identical. Thus, the total query probability that Aq makes 
to Oquant at the point r is e. Hence, the probability that B® q outputs r is e/q. 
If we assume that J- is secure against quantum adversaries that use a quantum- 
accessible random oracle, then this quantity, and hence e, must be negligible. As 
in the case of signatures (Section H}, we can replace this assumption with the 
assumption that T is secure against quantum adversaries (i.e. with no access to 
a quantum random oracle) and that pseudorandom functions exists to reach the 
same conclusion. 

Since e is negligible, we can change O q (y) = k in Gamei , thus getting a game 
identical to Cameo from the adversary's point of view. Notice that in Gameo 
and Gamei , Aq is in a pure state because we are only applying unitary transfor- 
mations, performing measurements, or performing classical communication. We 
are only changing the oracle at a point with negligible total query probability, 
so Lemma 12.21 tells us that making this change only affects the distribution of 
the outcome of Gamei negligibly. This allows us to conclude that the success 
probability of Aq in Gamei is negligibly close to that in Cameo- 
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Now, assume that the success probability of Aq in Gamei is non- negligible. 
We now define a quantum algorithm B £ q that uses a quantum-accessible random 
oracle O q to break the CCA security of £$. B £ q works as follows: 

• On input 1™, generate (sk, pk) <— G(l"). Also, generate a random r, and 
compute y = /(pk, r). Now send pk to Aq and play the role of challenger to 
Aq. 

• Answer random oracle queries with the random oracle qU ant , which takes 
a basis element \x,y) into \x, y © ? (/(pk, x))) . 

• Answer decryption queries on (y',c') as follows: 

Case 1: If y = y' , ask the £s challenger for a decryption Ds(k, c') to obtain 
m! . Return m' to Aq. 

Case 2: If y ^ y' , respond with Ds{O q (y'), c'). 

• Answer the challenge query on (mo, mi) by forwarding the pair £$. When 
the challenger responds with c (which equals Es(k,mb) for some &), return 
(y,c) to A Q . 

• When Aq outputs b' , output b' and halt. 

Comparing our definition of B £ q to that of Gamei, we can conclude that the 
view of Aq in both cases is identical. Thus, Aq succeeds with non-negligible 
probability. If Aq succeeds, it means it returned b, meaning B £ q also succeeded. 
Thus, we have an algorithm with a quantum random oracle that breaks £s- 
This is a contradiction if £$ is CCA secure against quantum adversaries with 
access to a quantum random oracle, which holds since £s is CCA secure against 
quantum adversaries and quantum- accessible pseudorandom functions exist, by 
assumption. 

Thus, the success probability of Aq in Gamei is negligible, so the success 
probability of Aq in Gameo is also negligible. Hence, we have shown that all 
polynomial time quantum adversaries have negligible advantage in breaking in 
breaking the CCA security of £ , so £ is CCA secure. □ 

We briefly explain why Theorem l5.2l is a special case of Theorem l5.4l Notice 
that, in the above proof, Bg s only queries its decryption oracle when answering 
decryption queries made by Aq, and that it never makes encryption queries. 
Hence, if Aq makes no decryption queries, Bs s makes no queries at all except 
the challenge query. If we are only concerned with the CPA security of £, we 
then only need Eg to be secure against adversaries that can only make the 
challenge query. Further, if we only let Aq make a challenge query with messages 
of length n, then Es only has to be secure against adversaries making challenges 
of a specific length. But this is exactly the model in which the one-time pad is 
unconditionally secure. Hence, the BR encryption scheme is secure, and we have 
proved Theorem 15.21 
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6 Conclusion 



We have shown that great care must be taken if using the random oracle model 
when arguing security against quantum attackers. Proofs in the classical case 
should be reconsidered, especially in case the quantum adversary can access the 
random oracle with quantum states. We also developed conditions for translating 
security proofs in the classical random oracle model to the quantum random 
oracle model. Wc applied these tools to certain signature and encryption schemes. 

The foremost question raised by our results is in how far techniques for 
"classical random oracles" can be applied in the quantum case. This stems from 
the fact that manipulating or even observing the interaction with the quantum- 
accessible random oracle would require measurements of the quantum states. 
That, however, prevents further processing of the query in a quantum manner. 
We gave several examples of schemes that remain secure in the quantum setting, 
provided quantum- accessible pseudorandom functions exist. The latter primitive 
seems to be fundamental to simulate random oracles in the quantum world. 
Showing or disproving the existence of such pseudorandom functions is thus an 
important step. 

Many classical random oracle results remain open in the quantum random 
oracle settings. It is not known how to prove security of generic FDH signatures 
as well as signatures derived from the Fiat- Shamir heuristic in the quantum 
random oracle model. Similarly, a secure generic transformation from CPA to 
CCA security in the quantum RO model is still open. 
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A Definitions 

Definition A.l (Trapdoor Permutation). A trapdoor permutation is a triple 
of functions J- = (G, f, / _1 ) where: 

• G(l n ) generates a private/public key pair (sk, pk). 

• /(pk, ■) is a permutation for all pk. 

• / _1 (sk, ■) is the inverse o//(pk, •) for all (pk,sk) generated by G. That is, 
/" 1 (sk,/(pk,a;)) = x and /(pk, / _1 (sk, y)) = y. 

For a trapdoor permutation J 7 , we define the problem Inv{lF) = (Gflme(J), 0) 
where Game(T) is the following game between a quantum adversary A and the 
challenger Ch: Ch, on input n, runs G(l n ) to obtain (sk, pk) and generates a 
random y in the range of /(pk, •). It sends (pk, y) to A. A is allowed to make 
quantum random oracle queries O(-). When A outputs x, Ch outputs 1 if and 
only if f(pk,x) = y. 

Definition A. 2. A trapdoor permutation T is secure against quantum adver- 
saries if Inv{lF) is hard for quantum computers. 

The following definition is due to [GP V08j : 

Definition A. 3 (Preimage Sampleable Trapdoor Function). A quadru- 
ple of functions T = (G, Sample, f, / _1 ) is a trapdoor collision-resistant hash 
function with preimage sampling (PSF) if: 

• G(l") generates secret and public keys (sk, pk). 

• /(pk, •) has domain D and range R. 

• Sample(l n ) samples from a distribution on D such that for all pk the dis- 
tribution f (pk, Sample(l n )) is within e samp i e of uniform. 

• f~ 1 (sk,y) generates an x such that /(pk, x) = y. The distribution is within 
tpre of the conditional distribution of Samplei) given /(pk, x) = y, where 
e pre is negligible. 

• Pre-image Min-entropy: For all y G R, the probability of any element in the 
conditional distribution of Sample(l n ) given /(pk, x) — y is less than e pro b, 
where e pro b is negligible. 
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For a PSF, wc define two problems: Inv(IF) is identical to the problem with 
the same name for trapdoor permutations, and C'ol(J-) = (Game(J r ),0) where 
Game (J 7 ) is the following game between a quantum adversary A and the chal- 
lenger Ch: Ch, on input n, runs G(l") to obtain (sk, pk), and sends pk to A. A 
is allowed to make quantum random oracle queries O(-). When A outputs a pair 
(xi, x 2 ), Ch outputs 1 if and only if both xi 7^ X2 and /(pk, xi) = /(pk, x 2 ). 

Definition A. 4. A PSF J- is secure against quantum adversaries if Inv^J 7 ) and 
Col^T) are both hard for quantum computers. 

|GPV08j construct a PSF whose security is based on the hardness of lattice 
problems. 

Signature schemes. We next review signature schemes using our unified notation. 

Definition A. 5 (Signature Scheme). A random oracle signature scheme is 
a triple of functions S = (G, S ,V°) where: 

• O is a random oracle. 

• G(l") generates a pair (sk, pk) where sk is the signer's private key, and pk 
is the public key. 

• 5°(sk,m) generates a signature a. 

• V°(pk, m, a) returns 1 if and only if a is a valid signature on m. 

We require that V°(pk,m, S (sk,m)) = 1 for all m and (sk, pk) generated 
byG. 

For a signature scheme S, we define the problem Sig~Forge(S) = (Game(S) , 0) 
where GameiS) is the following game between a quantum adversary A and the 
challenger Ch°: ChP , on input n, runs G(l") to obtain (sk, pk). It then sends 
pk to A. A is allowed to make quantum random oracle queries O(-) and classical 
signature queries S , °(sk, ■) to ChP . When A outputs a forgery candidate (m, er), 
ChP outputs 1 if and only if A never asked for a signature on m and a is a valid 
signature for m (V (pk,m,cr) = 1). 

Definition A. 6. A signature scheme S is secure against quantum adversaries 
if Sig — Forge(S) is hard for quantum computers. 

Encryption. We next review encryption systems using our notation. 

Definition A. 7 (Symmetric Key Encryption Scheme). A symmetric key 
random oracle encryption scheme is a pair of functions £ = (E ,D ) where: 

• E (k,m) generates a ciphertext c. 

• D (k, c) computes the plaintext m corresponding to ciphertext c. We require 
that D°(k,E°{k,m)) = m. 
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For a symmetric key encryption scheme £, we define the problem Sym—CC A{£) = 
(Game(£), ^) where Game(£) is the following game between a quantum adver- 
sary A and the challenger ChP : ChP , on input n, generates a key k of length 
n at random, and sends k to A. A is allowed to make quantum random ora- 
cle queries O(-), classical encryption queries E°(k,-), and classical decryption 
queries D°(k, •). A is also allowed one classical challenge query, where it sends 
ChP a pair (mo, mi). ChP chooses a random bit b, and computes c = E (k, nib), 
which it sends to A. When A returns a bit b' , ChP outputs 1 if and only if both 
b = b' and there was no decryption query D (k, c) after the challenge query. 

Definition A. 8 (Symmetric Key CCA Security). A symmetric key en- 
cryption scheme £ is Chosen Ciphertext Attack (CCA) secure against quantum 
adversaries if Sym — CCA(£) is hard for quantum computers. 

Definition A. 9 (Asymmetric Key Encryption Scheme). An Asymmetric 
key encryption scheme is a triple of functions £ = (G, E , D ) where: 

• G(l") generates a private/public key pair (sk, pk) 

• E°(pk, m) generates a ciphertext c. 

• _D°(sk, c) computes the plaintext m corresponding to ciphertext c. We re- 
quire that D°(sk, i?°(pk, m)) = m. 

For a symmetric key encryption scheme £, we define the problem Asym — 
CCA{£) = (Game(£), \) where Game(£) is the following game between a quan- 
tum adversary A and the challenger Ch°: ChP , on input n, uses G(l ra ) to gen- 
erate (sk, pk), and sends pk to A. A is allowed to make quantum random oracle 
queries O(-) and classical decryption queries -D°(sk, ■). A if also allowed to make 
one classical challenge query, where it sends ChP a pair (mo, mi). ChP chooses 
a random bit 6, and computes c = £ , °(pk, mj), which it sends to A. When A 
returns a bit 6', ChP outputs 1 if and only if both 6 = 6' and there was no 
decryption query D (sk,c) after the challenge query. 

Definition A. 10 (Asymmetric Key CCA Security). An Asymmetric key 
encryption scheme £ is Chosen Ciphertext Attack ( CCA ) secure against quantum 
adversaries if Asym — CCA(£) is hard for quantum computers. 

B Security of the IS* Protocol 

To prove security of our protocol we need to show that an adversary A after 
interacting with an honest prover "P*, can subsequently not impersonate V* 
such that V* accepts the identification. 

Security against Classical Adversaries. We first show that the IS* protocol is 
secure in the (standard) random oracle model against classical adversaries and 
then discuss that there exist hash functions, which can securely replace the 
random oracle. 
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Lemma B.l. Let IS = (IS.KGen, V, V) be a secure identification scheme. Then 
for any efficient classical adversary A and I > 6 log(cv) the protocol IS* is secure 
in the random oracle. 



Proof. Assume towards contradiction that a verifier V* after interacting with 
an adversary A, both given (pk,£) as input, accepts with output b* = I. Thus, 
A must have convinced V* in the evaluation of the IS-protocol or provided at 
least r/4 collisions. Due to the independence of the two stages of our protocol 
(in particular, sk is not used during the collision search) we have 

Pr[„4 "breaks" IS*] < Pr[collCount > r/4] + Pr[A "breaks" IS]. 

Since we assume that the underlying identification scheme is secure, the latter 
probability is negligible. Thus, it remains to show that an adversary A with 
access to a random oracle H finds r/4 near-collisions on H(ki,-) for given ki 
in time 0(^2^) with negligible probability only. In the random oracle model, 
the ability of finding collisions is bounded by the birthday attack, which states 
that after sending random input valued, at least one pair will collide with 
probability > 1/2. Taking possible parallel power of the adversary into account, 
the protocol allows A to make at most a ■ \[2? queries for some constant a > 1 
(Assumption [T]). Since £ > 61og(a) we have a ■ ^f2f- < and thus A's success 
probability for finding a collision in each round is < 1/2 which vanishes when 
repeating the collision search r times. 

More concretely, the upper bound on the birthday probability for q queries 
and a function with range size N is given by Si^- (see e.g. [BKR94] ). Thus, 
when considering an adversary making at most q = queries to a random 

oracle with range {0, l} e we obtain: 

2 2 

PrfColl] < < 

due to the choice of i < log n. The repetition of such a constrained collision search 
does not increase the success probability of the adversary, since the verifier sends 
a fresh "key" k t in each round. Thus, the adversary cannot reuse already learned 
values from the random oracle, but has to start the collision search from scratch 
for each new key. That is, the probability of A finding a collision is at most 
Pr[Coll] in each round. 

Applying the Chernoff-bound yields the probability for finding at least r/4 
collision in r independent rounds: 

/ rep" ( \ fri — 2cy' 
Pr[collCount > r/4] < cxp — ■ — ) ' t ) < ex P 
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5 Note that we give all statements for a random oracle outputting directly I < log(n) 
bits, as we are interested in near-collisions. Such an oracle can be obtained from a 
random oracle with range {0, 1}™ by simply truncating the output to the first I bits. 
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Thus, for a constant a, and setting r = poly(n) the above term is negligible 
in n. However, then, the overall success probability of A is negligible as well. 

When considering classical adversaries only, we can securely instantiate the 
random oracle in the IS* scheme by a hash function H that provides near- 
collision-resistance close to the birthday bound. Under this assumption, the secu- 
rity proof of our identification scheme carries over to the standard model, as well. 
(We omit a formal proof, as it follows the argumentation of Lemma. \B . 1 1 closely. ) 
Note that it is a particular requirement of the SHA-3 competition jNIS07j . that 
the hash function candidates achieve collision-resistance approximately up to 
the birthday bound and provide this property also for any fixed subset of the 
hash functions' output bits. Thus, all remaining SHA-3 candidates (or at least 
the winner of the competition) is supposed to be quasi-optimal near-collision- 
resistant. 

Security against Quantum Adversaries. We now show that such a result is im- 
possible in the quantum world, i.e., for any hash function H there exists a 
quantum-adversary Aq that breaks the IS* protocol (regardless of the secu- 
rity of the underlying identification scheme). This contrasts with the security 
that can still be achieved in the (classical) random oracle model: 

Lemma B.2. Let ISq = (IS.KGen, V, V) be a secure quantum-immune identifi- 
cation scheme. Then for any efficient quantum adversary Aq and £ > 6 log(a) 
the protocol IS* is secure in the random oracle model. 

Proof. By assuming that ISq is a quantum-immune identification scheme, an 
adversary Aq trying to convince a verifier V* in the IS* protocol must provide 
at least r/4 many collisions in the first stage of the protocol. Thus, we have 
to show that a quantum adversary Aq can succeed in the collision-search with 
negligible probability only. 

Note that in order to gain advantage of the quantum speed-up (e.g., by apply- 
ing Grover's search algorithm) the random oracle H , resp. the indicator function 
based on H, has to be evaluated on quantum states, i.e., on superpositions of 
many input strings. However, by granting Aq only classical access to the random 
oracle, it is not able to exploit its additional quantum power to find collisions 
on H. Thus, Aq has to stick to the classical collision-search on a random oracle, 
which we have proven to succeed in r/4 of r rounds with negligible probability, 
due to the constraint of making at most a ■ \p2^ oracle queries per round (see 
proof of Lemma IB. II for details) . 

We now show that our IS* scheme becomes totally insecure for any instan- 
tiation of the random oracle by a hash function H. 

Lemma B.3. There exist an efficient quantum adversary Aq such that for any 
hash function H = (H.KGen, H.Eva/) the protocol IS* is insecure. 

Proof. For the proof, we show that a quantum-adversary Aq can find collisions 
on H in at least r/4 rounds with non- negligible probability. To this end, we 



34 



first transform the classical hash function H into a quantum-accessible function 
Hq. For the transformation, we use the fact that any classical computation can 
be done on a quantum computer as well |NC00j . The ability to evaluate Hq 
on superpositions then allows to apply Grover's algorithm in a straightforward 
manner: for any key ki that is sent by the verifier V*, the adversary invokes 
Grover's search on an indicator function testing whether HQ.Eval(fcj, x)\z = 
HQ.Eval(fcj, x')\t for distinct x ^ x' holds. After evaluations of Hq the 
algorithm outputs a collision Mi, M[ with probability > 1/2. As we assume that 
a quantum evaluation of Hq requires roughly the same time than an evaluation 
of the corresponding classical function H, and we do not charge Aq for any other 
computation, the collision search of Aq terminates before V* stops a round of 
the collision-finding stage. 

Hence, Aq provides a collision with probability > 1/2 in each of the r rounds. 
Using the Chernoff bound, we can now upper bound the probability that Aq 
finds less than r/4 collision as: 



Pr[collCount < r/4] < exp 



r 
~2 




which is roughly Pr[collCount < r/4] < 0.94 r and thus negligible as a function of 
r. That is, the adversary Aq can make V* accept the interaction with noticeable 
probability at least 1 — Pr[collCount < r/4]. 

As Grover's algorithm only requires (quantum-accessible) black-box access 
to the hash function, the approach described in the proof of Lemma [H3] directly 
applies to the quantum-accessible random oracle model, as well: 

Lemma B.4. The protocol IS* is not secure in the quantum-accessible random 
oracle model. 



C Proof of Lemma 14.41 



Before we prove Lemma f4.4[ we need to prove the following two technical lemmas: 



Lemma C.l. Let \<f>) and \4>') be superpositions with \<f>— <j)'\ < 7. Let P be some 
property on strings. Suppose measuring \<fi) gives a string that satisfies P with 
probability e. Then measuring \<f>') gives a string that satisfies P with probability 
e' where 

\/e — 7 < \[7' < Ve + 7 

Proof. We will prove this lemma geometrically. We can think of a state \<p) as 
a vector <p in C™. Then the basis elements as elements of the standard basis 
for C™. We are given that \4> — cf>'\ < 7, meaning that <p and <p' have Euclidean 
distance of at most 7. 
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For a bit string x, the probability that sampling |</>) results in x is |(cc,</>)| 2 . 
Let Sp be the set of basis elements x such that x satisfied P. The probability 
that sampling \(f>) results in a string satisfying P is then given by 

E I 2 

xeSp 

This also is the square of the length of the projection of <fi onto the subspace 
spanned by Sp. So, let <pp and <p' p be the projections of cb and <t>' onto the space 
spanned by Sp. The probability that sampling \<f>) (resp. \(f>')) results in a string 

2 I 1 2 

satisfying P is simply e = |0p| (resp. e = 0p )■ Projections only decrease 
distance, so by the triangle inequality, 

V^= < \4>p\ + \<t>p-4>' P \ < \4>r\ + \<f>-<f>'\ < + 7 
Reversing the roles of \<j>) and \<j>') gives us the other inequality. 

Lemma C.2. Let A be an quantum algorithm that makes at most q queries to 
quantum random oracle O. Fix a y in the co-domain ofO. The expected value 
of the total query probability of all x such that O(x) = y is at most 

Proof. Suppose we have an oracle O' for which the output on every input 
is distributed identically and independently, with a uniform distribution over 
{0, l} m \ {y}. We now modify the oracle as follows: for each input x, with prob- 
ability 2~ m , replace the output with y. This oracle is now a random oracle, so 
its distribution is identical to O. 

Let Gi be the total query magnitude over the first i — 1 queries of x such 
that wc change O' (x) . Let Si be the query magnitude of those x in the ith query. 
Let 7i be the Euclidean distance between the state of A at the ith query when 
using oracle O' and the modified oracle O. By (|2.2[) , 7, < y(i — l)<7j. Let p, be 
the query magnitude of x such that 0(x) = y (which is the same as the query 
probability of x such that we changed 0'{x)). By the above lemma, 

Pi < (v^ + 7i) 2 
= Si + j? + 2a/5 7i 
< Si + l)ai + 2^{i - l)S t a, 
<S, + {i- l)o-i + 2Vi-l(Si + a,) 

Now, observe that since we are deciding whether to change the output of a 
query point at random and independently, the expected query probability of the 
points that we changed in each query is exactly 2 _m . Thus, E [Si] = 2~ m and 
Efa] = {i-l)2- m . Thus, 

E [Pi] < 2' m {l + (i - l) 2 + 2VT^T(1 + (i - 1))) < 2- m 2i 2 

. This result is not surprising, as it implies that any quantum algorithm which is 
to output a preimage of y with overwhelming probability must make 0(v / 2 _m ) 
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quantum oracle queries, which is well known lower bound for the unstructured 
search problem (see Bennett et al. |BBBV97] for more). Summing over all q 
queries gives the expected query probability of x such that 0(x) = y to be at 
most 2 x 2- m q 3 . 



Proof of Lemma 14.41 We are given a random oracle O and a distribution D 
that is e-closc to uniform. Observe that: 

e = ^|Pr[y|£»]-2- ro | 

y 

£ (Pr[t/|D]-2— )+ £ (2- m -Pr[y\D]) 

y:Pr[ y \D]>2-™ y:Pr[y\D]<2-™ 

0= £ (Pr[j/|D]-2- m )- £ (2-™-Pr[y|£>]) 

y:Pr[y|D]>2-™ H :Pr[i/|r>]<2-"> 



Thus, 



£ (Pr[y\D]-2- m )= £ (2" m - Pr[y|/J]) 

y.I>r[y\D]>2-"> »:Pr[y|D]<2-"» 



Define a distribution D' as follows: 

• If Pr[y|Z>] < 2- m , Pr[j/|£)'] = 0. 

• If Pr[y\D] > 2~ m , Pr[j/|.D'] = (Pr[j/|Z>] - 2- m )2/e 

All the probabilities are clearly non-negative. For this to be a probability distri- 
bution, the probabilities need to um to 1: 

>rMDl - 9r m ) 



Y,Pr[y\D>] = £ (Pv[y\D] - 2—)- = |- = 1 



« y:Pr[i/|D]>2-™ 

Now, we can create another distribution D" as follows: first, generate y uni- 
formly at random. Then, 

• If Pr[y\D] > 2~ m , output y. 

• If Pr[y\D] < 2~ m , then with probability 2 m Pr[y\D], output y. Otherwise, 
pick a y' from £>' and output y'. 

If Pr[y|L>] < 2-"\ Pr[y\D"} = 2~ m x (2 m Pr[j/|D]) = Pr[y|£>]. Otherwise, 

Pv[y\D"]=2- m + J! 2- m (l-2 m Pr[y'\D])Pv[y\D'} (C.l) 

y':Pr[y'|D]<2-™ 

= 2-' rn + (2- m -Pr[j/ / | J D])(Pr[j/|£»]-2- OT )-(C.2) 

S/':Pr[3/'|Z)]<2-"* 

= 2-™ + |(Pr[y|D] - 2"™)^ = Pr[y|£>] (C.3) 



37 



Thus D" = D. This demonstrates that we can construct the oracle O' whose 
elements are distributed according to D as follows: Start with the random or- 
acle O, and for each input x, if Pr[0(a;)|Z)] < 2~ m , then with probability 
1 — 2 rn Pr[0(x)\D], replace the output with a y' drawn from D' x . Otherwise 
leave the oracle unchanged at that point. 

Now we bound the expected query magnitude of x such that the oracle 
changed. By the above lemma, the expected total query probability of any x 
such that 0(x) = y is 2q 3 2~ m . Let a be the query magnitude of points x at 
which we changed the oracle: 



E[ct] = E ( : ~ 2 ~ m Pl i°( x )\ D }) x ( total q uer y magnitude of x) 

x:Pr[0(x)|_D]<2~ m 

(1 -2 m Pr[y|D])E[total query magnitude of x such that 0(x) 

y:Pr[y\D]<2-™ 

< (1 -2 m Pr[y|£>])2g 3 2- m 

y.Pr[y\D]<2-"> 

= 2q 3 J2 (2' m -Pr[y\D]) = ^= q 3 e 

y.Pr[y\D}<2-™ 

Thus the expected Euclidean distance is 



E[y/qa\ < a/^eR < y/q x <7 3 e = 

This means the expected variational distance of the output distributions is at 
most 4q 2 y / e. Thus, the distribution of outputs when the oracle values are dis- 
tributed according to D is at most 4g 2 y / e away from the distribution of outputs 
when the oracle is truly random. □ 
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